Best Practices: Pass-Through w/Bypass

(Bridge Mode)
EdgeXOS Deployment Scenario: Bridge Pass-Through

This document is designed to provide an example as to how the EdgeXOS appliance

is configured based on a predefined scenario. The scenario is typical of many
customers and is outlined below. If you have any questions about this document or
how this scenario might differ from your actual deployment, please feel free to
contract our support center.

Support URL: http://www.myxroads.com

Additional documentation is available on our website via our Support link, select the
Documentation option. We also have a number of how-to videos online here:

Video (Step-by-Step Support) URL: http://videos.xroadsnetworks.com

Scenario Details:

The following outline provides some predefine requirements for this scenario. Most
of these requirements are taken from previous customer installs and real-world
deployments.

- Must be able to perform a transparent installation, meaning no changes to the

existing network architecture or IP address space.

- Must be able to load balance outbound end-user traffic across all three WAN links
and provide automated failover in the event of an outage on any of the links.

- Must be able to pass-through VPN tunnel to gateway firewall appliance through

the WAN1 link.

- Must be able to provide inbound SMTP server failover from WAN1 to WAN2 in
the event of a network WAN1 failure.

- Must be able to load balancing incoming web traffic between all three WAN links
to an IP address assigned to the firewall.

- Must be able to maintain session persistence for critical CRM application.

- Must be able to offload non-critical web traffic over our WAN2 link.

- The customer has 250 end-users sitting behind an existing firewall.

- The customer has an existing publicly routed network from WAN1.

- The customer has two additional links which each have 5 static addresses.
Deployment Method Selection
By utilizing the QuickStart Guide the method selected for this deployment is bridge
mode. Bridge mode is recommended every time a customer is looking to pass-
through traffic on their WAN1 connection to the LAN side of the EdgeXOS appliance.

This is the default diagram provided by the QuickStart Guide:

This diagram show the configuration BEFORE the EdgeXOS appliance is put in
place:
Here is the diagram based on our requirements AFTER the EdgeXOS appliance is in
place:

IMPORTANT: As of June 2010 XRoads Networks began recommending using

bridge mode over proxy ARP mode for pass-through situations as bridge mode
provides a better failover and failback mechanism without the potential for ARP
conflicts that are associated with proxy ARP mode.

Steps To Configure
(This is a step-by-step implementation guide for the scenario detailed above)

The first step when installing the appliance once the method has been
determined is to gain access to the web configuration interface. Given that you
have already attempted to access the unit and gotten used to the web-GUI while
the unit was offline, this document will show the actual installation procedure.

NOTE: It is also assumed that these steps will be taken during a schedule
maintenance period or during a time when a short outage period has been
approved.

Step 1) Physically place the EdgeXOS appliance between the firewall and the
WAN1 router. Connect the WAN1 Ethernet cable from the WAN1 router to the
WAN1 interface of the appliance (note this may require a cross-over cable). Plug
in the appliance and turn it on, the appliance takes approx 60 seconds to boot.

NOTE: When using proxy mode it is very important that the WAN1 interface of
EdgeXOS and the LAN interface of the gateway router are directly connected,
meaning no switches or other equipment can sit between these two devices.

BRIDGE MODE REQUIREMENTS

These diagrams show the right and wrong way to install the EdgeXOS appliance
when in proxy mode. The pass-through method works best when deploying in
this manner.

CORRECT

WAN1
ISP A
LAN
Switch
T1
Firewall
Router

INCORRECT

WAN1
ISP A
LAN
Switch Hub
T1
Router
Firewall

Step 2) Use a laptop or a PC to connect to the LAN interface of the appliance.

Make sure to configure the laptop/PC’s IP address to something in the
192.168.168.x/24 range. The screen shot below shows the settings we generally
recommend.
Connect to the LAN interface from the NIC of the laptop/PC (note a cross-over
cable may be required to do this). Make sure that you see a green light on the
EdgeXOS appliance’s LAN interface when it is plugged in. If a green light does
not appear the cable may not be working correctly or the interface on the
laptop/PC may not be enabled.

Step 3) Once connected first perform a PING operation to make sure that your
computer is able to access the appliance over the network. This operation can be
conducted on a Windows system via the Start menu. The image below shows how
to run this test:

You should get back a reply response from the ping test. If you do not, then your
computer is not setup on the correct network, or the appliance is not properly
connected to the network.

Once you are able to ping the appliance the next step is to open a web browser and
enter the URL http://192.168.168.254:8088. This is the default IP address of the
LAN interface for the EdgeXOS appliance. The 8088 is the default administrator web
port.
You must include the http:// portion any time you use a direct IP address in your URL
or the connection will not work.

Next you will be prompted for a login and password. The default login username is
‘admin’, the default login password is ‘password’. Enter these in the popup window
in order to log in to the appliance. This will grant you access to the Home page of the
device

Step 4) Now that you have logged in to the appliance you should see the Home
page. The first task is to configure the WAN and LAN interfaces. Click on the
Interfaces tab and enter the WAN address information.

The LAN address is 65.10.10.3 the subnet is 255.255.255.0 (see diagram).

The set the rate limit, which in this case is 10000, equal to a 10Mb connection.

Finally click the Apply button at the bottom of the page.

Once the LAN interface is configured select the WAN One Interface from the
drop-down menu.

The WAN address is 65.10.10.2 the subnet is 255.255.255.0 (see diagram).

The set the rate limit, which in this case is 10000, equal to a 10Mb connection.

Finally click the Apply button at the bottom of the page.

Do not Commit the interfaces yet. It is typically best to configure both the LAN
and WAN1 interfaces before committing the interfaces.

Step 5) Once you have configured bridge mode, it is important to add

administrative devices, i.e. those devices which will be used to administer the
appliance in the future. The reason for adding this information is to ensure that
the appliance maintains this information in its bridge state. To add this
information, select EdgeXOS Admins from the Interfaces drop-down menu.

Now add all LAN and WAN sides addresses which will be used to configure the
appliance, including any temporary addresses you are using for this setup.
Step 6) Prior to configuring any other interfaces we want to Commit the applied
interfaces to the interfaces and make sure that the WAN1 proxy is working.

Once committed the interfaces on the EdgeXOS appliance will automatically be

updated with the LAN and WAN interfaces changing to the new state.

NOTE: At this point you will lose access to the web-GUI.

You now need to change the IP address of the laptop to be equal to the new
subnet. In this case the laptop/PC needs to be changed to something like
64.10.10.5 with a 255.255.255.0 subnet and a gateway of 64.10.10.1.

Once the address has been changed you should be able to reconnect using the
new URL:

At this point you want to SAVE the configuration via the Save button on the
Home page. Once the configuration is saved you will need to plug the LAN
interface of the EdgeXOS appliance in to the firewall device.

IMPORTANT: The appliance should now be operating in pass-through bridge

mode, which means that all traffic from the LAN firewall should be going directly
out through the WAN1 gateway router. The EdgeXOS appliance does see this
traffic however at this time it is simply acting as a switch for the WAN1 network.

Step 7) The next step is to log back in to the web-GUI of the EdgeXOS appliance
from a device located behind the firewall, then continue with configuring the
WAN2 interface. Select the ‘WAN Interface Two’ menu option. Then enter the
following information.

Set the Interface to ‘Active’, ‘NAT’, and ‘Static’.

The WAN2 address is 10.10.10.2, the subnet is 255.255.255.252 (see diagram).

The WAN2 gateway is 10.10.10.1 (see diagram).

Leave the probe address blank as it will automatically fill in once the link is turned
up.
The set the rate limit, which in this case is 3000, equal to a 3Mb connection.

Finally click the Apply button at the bottom of the page.

Step 8) The next step is to configure the WAN3 interface. Select the ‘WAN
Interface Three’ menu option. Then enter the following information.

Set the Interface to ‘Active’, ‘NAT’, and ‘Static’.

The WAN3 address is 72.10.10.130, the subnet is 255.255.255.128 (see

diagram).

The WAN3 gateway is 72.10.10.129 (see diagram).

Leave the probe address blank as it will automatically fill in once the link is turned
up.

The set the rate limit, which in this case is 768, equal to a 768K connection.

Finally click the Apply button at the bottom of the page.

Step 9) The next step is to Commit all of the applied interface information. This
is done by clicking the Commit button and the Commit To Interfaces button.

Once you have confirmed that you are able to reconnect, take a look at the
interface status on the Home page. It may take up to 30 seconds for the WAN
links to become active. You may see that some interfaces are active but not all.
It may take up to a minute or two for all of the interfaces to initially become
active.

Once the links are all active attempt to perform a ping from the appliance out to
the Internet via the Tools tab, under the Ping menu.
You should get a positive result.

If this is the case, the next step is to perform a test from your laptop/PC.
Assuming that you correctly configured the gateway on the laptop/PC.

You should also get a positive response.

CONGRADULATIONS! The initial interface configuration process has been

completed. Next steps would be to configure inbound and outbound load
balancing rules, application routes, ActiveDNS, Vector Mappings, etc.

For more information on configuring those parameters, please refer to the

specific How To Guide which discusses those features.

Deployment Summary

By reviewing this document and the example scenario provided, it should make
deploying an EdgeXOS appliance in your environment easier. Please make sure
to review the QuickStart Guide first to determine which installation method to
use. Then make sure to review each of the HowToGuides and our online
support videos for assistance.

If you need installation assistance, feel free to contract support. The support
team is there to help. If you require an installation support call, please make sure
to fill out the Live Configurator form first by using the QuickStart document as a
guide. Feedback: http://www.xroadsnetworks.com/ubm/products/survey.xrn